A rise in outbound email, driven by COVID-19 and work from home, is being blamed for an increase in data breaches. Overall, 93% of the IT leaders surveyed for this report said their organisations had suffered data breaches in the last 12 months. The number is staggering but also raises a question as to what exactly were the criteria for a data breach. The details emerged in the 2020 Outbound Email Data Breach Report (registration required) published by Egress Software.
Egress CEO Tony Pepper comments: “Unfortunately, legacy email security tools and the native controls within email environments, such as Outlook for Microsoft 365, are unable to mitigate the outbound email security risks that modern organisations face today. They rely on static rules or user-led decisions and are unable to learn from individual employees’ behaviour patterns. This means they can’t detect any abnormal changes that put data at risk – such as Outlook autocomplete suggesting the wrong recipient and a tired employee adding them to an email.”
The survey was carried out by Arlington Research. They interviewed 538 senior managers responsible for IT security in the UK and US. The respondents worked across vertical sectors, including financial services, healthcare, banking and legal.
Key numbers from the reports
Egress has split the research into two reports, UK and US. Neither report states the size of the organisations concerned, so it is difficult to know how many are multinational and how many are mid-sized enterprises.
- 94% of surveyed organisations are sending more emails due to COVID-19. 68% say they have seen increases of between 26% and 75%
- 93% of surveyed organisations suffered outbound email data breaches in the past 12 months
- Top three causes of data breaches: 80% wrong recipient added to an email, 80% wrong file attached, 80% replied to a phishing attack. These are closely followed by 78% not using encryption, 76% intentional exfiltration and 75% using bcc incorrectly.
- Organisations reported at least an average of 180 incidents per year, equating to approximately one every 12 working hours
- 70% believe that remote working raises the risk of sensitive data being put at risk from outbound email data breaches
- 62% rely on people-led reporting to identify outbound email data breaches. 46% were disciplined, and 27% were fired
- 37% of breaches caused by tired and stressed out employees
- 35% of the most serious breaches caused by remote working
The problem with relying on software
Software vendors like to tout how clever their software is. They promote features that are designed to save time but not, necessarily, to prevent mistakes. The report calls out the problem of autocomplete and its role in data breaches.
As any user of twitter, instant messaging or SMS will know, autocomplete always has your back – not! The ease with which the wrong email user can be attached to an email or the wrong word used is well known. However, it seems that users are not taking time out to check what is happening with autocomplete when it comes to names in an email.
As the report highlights: “One respondent claimed that they sent a confidential message to a colleague, only to find out there were nine individuals of the same name in her organisation.”
As can be seen from the numbers above, not checking autocomplete and sending an email to the wrong user can have a poor outcome. In addition to 27% being fired, 28% of employees faced legal action. The consequences are not just for the employee, 26% of organisations were investigated by the regulator and 33% suffered financial damage.
The use of encryption to protect emails has been on the rise. But with employees using their own technology, including software, encryption usage has fallen. The study shows that 33% of organisations are not using encryption effectively, if at all. If employees start to use their own software solutions, that number is likely to increase.
Before you shrug this off with a ‘so what?’
As bad as the numbers look, there is a little bit of ‘so what’ in them. Employees sent home and expected to work, were always going to be an increased risk. Part of that is down to software, part to process and part to the human element.
Offices can be noisy places, but home can be even worse. Many workers have discovered that sharing the kitchen table with children and partners is distracting. It increases the chance of a mistake. Even those who were able to find space to work or who live alone had to deal with issues. Those living in flats or terraced housing suddenly discovered neighbours.
Work from home has also caused an increased amount of email. Employees no longer able to talk to the person next to them now send that person emails. For those companies that have tried to limit the use of email, this has delivered a setback.
Some organisations quickly resorted to collaboration software to reduce email. They also saw such solutions as providing a way for teams to keep in touch. However, the increased response to phishing attacks and the rise in successful business email compromise attacks shows that hasn’t worked.
Enterprise Times: What does this mean?
Mistakes happen, and we are all guilty of it. I’ve sent replies to a PR person only not to check the autocomplete and then have to deal with the outcome. The issue here is how to improve security and reduce risks.
Better user training is one thing, but it has to be more than just sending more emails and pointers to online courses. Understanding how different users learn takes time and effort but is far cheaper than a regulatory fine. Building and delivering effective training takes time but far less than dealing with the aftermath of a data breach.
Processes also need to be reviewed. How do you detect phishing attacks before they become a problem? How do you replace that office environment that prevents a BEC attack when users are scattered to their homes? Outbound email is not a good replacement for personal interaction.
Software has its place but needs to be used consistently across the user base. As companies look to reduce their cost base and rely on employees to buy technology, they increase their risk. Another survey by Trend Micro a few days back showed that three in ten employees say IT-backed solutions are “nonsense.” Companies need to either enforce software standards and controls or, provide solutions that reduce the risk this creates.
Egress Software believes that from a software perspective, any solution needs to provide Data Loss Prevention. It also has to include encryption and better access security.
As Pepper points out: “This problem is only going to get worse with increased remote working and higher email volumes creating prime conditions for outbound email data breaches of a type that traditional DLP tools simply cannot handle. Instead, organisations need intelligent technologies, like machine learning, to create a contextual understanding of individual users that spots errors such as wrong recipients, incorrect file attachments or responses to phishing emails, and alerts the user before they make a mistake.”